When you want to troubleshoot SceCli events with event ID 1202 you need to run the command :
FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log
In some cases there will be an error because the winlogon file does not exist :
“File not found – C:\WINDOWS\SECURITY\LOGS\WINLOGON.LOG”
To enable the creation of the winlogon.log file we need to edit the registry.
Start the Registry Editor and change the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
Click the key ExtensionDebugLevel and change the value to 2.
Default Value is 0
Now refresh you GPO, GPupdate /force.
Now it’s possible to Identify accounts that could not be resolved to a SID:
From the command prompt, type: FIND /I “Cannot find” %SYSTEMROOT%\Security\Logs\winlogon.log
The string following “Cannot find” in the FIND output identifies the problem account names.
ddd
No mapping between account names and security IDs was done.
Cannot find gmsa.
Configure S-1-5-21-232029976-1651249474-311576647-2322.
Import-Module ActiveDirectory
Get-ADUser -Identity S-1-5-21-232029976-1651249474-311576647-2322
or via WMIC
wmic useraccount where sid="S-1-5-21-232029976-1651249474-311576647-2322" get name